TOR Tor Weekly News — July 10th, 2015

Welcome to the twenty-seventh issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tails 1.4.1 is out

The Tails team announced version 1.4.1 of the anonymous live operating system. Most notable in this release is the fix of automatic upgrades in Windows Camouflage mode, and plugging a hole in Tor Browser’s AppArmor sandbox that previously allowed it to access the list of recently-used files.

For a full list of changes, see the team’s announcement. This release contains important security updates, so head to the download page (or the automatic upgrader) as soon as possible.

Tor Browser 4.5.3 and 5.0a3 are out

The Tor Browser team put out new releases in both the stable and alpha series of the secure, private web browser. Tor Browser 4.5.3 contains updates to Firefox, OpenSSL, NoScript, and Torbutton; it also fixes a crash triggered by .svg files when the security slider was set to “High”, and backports a Tor patch that allows domain names containing underscores (a practice generally discouraged) to resolve properly. For example, users should now be able to view the website of the New York Times without problems.

Tor Browser 5.0a3, meanwhile, is the first release to be based on Firefox 38 ESR. “For this release, we performed a thorough network and feature review of Firefox 38, and fixed the most pressing privacy issues, as well as all Tor proxy safety issues that we discovered during the audit”, wrote Georg Koppen. Changes to the toolchain used to build the browser mean “we are […] especially interested in feedback if there are stability issues or broken Tor Browser bundles due to these toolchain upgrades.

These are important security releases, and you should upgrade to the new version in whichever series you prefer. Head to the download page to get your first copy of Tor Browser, or use the in-browser updater.

Tor unaffected by new OpenSSL security issue

A few days ago, the team behind the essential Internet encryption toolkit OpenSSL announced that a security issue classified as “high” would shortly be disclosed and fixed, leading to concern that another Heartbleed was on the cards. In the event, the now-disclosed CVE-2015-1793 vulnerability does not appear to affect either the Tor daemon or Tor Browser, as Nick Mathewson explained. However, you should still upgrade your OpenSSL as soon as possible, in order to protect the other software you use which may be vulnerable.

OVH is the largest and fastest-growing AS on the Tor network

nusenu observed that the hosting company OVH is both the largest autonomous system on the Tor network by number of relays, and the fastest-growing. While it’s no bad thing to have multiple relays located on the same network, it becomes a problem if any one entity (or someone who watches them closely enough) is able to observe too large a fraction of Tor traffic — they would then be in a position to harm the anonymity of Tor users.

This is what is meant by “diversity” on the Tor network. If you’re considering running a Tor relay, then as nusenu says, “choose non-top 10 ASes when adding relays (10 is an arbitrary number)”. See nusenu’s post for more information on how to select a hosting location for a stronger and more diverse Tor network.

More monthly status reports for June 2015

The wave of regular monthly reports from Tor project members for the month of June continued, with reports from Leiah Jansen (working on graphic design and branding), Georg Koppen (developing Tor Browser), Isabela Bagueros (overall project management), Sukhbir Singh (developing Tor Messenger), Arlo Breault (also working on Tor Messenger, as well as Tor Check), Colin Childs (carrying out support, localization, and outreach), and Juha Nurmi (working on onion service indexing).

David Fifield published the regular summary of costs incurred by the infrastructure for the meek pluggable transport over the past month. “The rate limiting of meek-google and meek-amazon has been partially effective in bringing costs down. […] meek-azure bandwidth use continues to increase, up 17% compared to the previous month. Keep in mind that our grant expires in October, so you should not count on it continuing to work after that.”

Following Donncha O’Cearbhaill’s 0.0.1 alpha release of OnionBalance, s7r called for help putting it to the test on a running onion service. One week on, there have been four million hits on the service, with hardly a murmur of complaint from OnionBalance or the service it is handling: “the same instances are running since service first started, no reboot or application restart”. See s7r’s post for more numbers.

This issue of Tor Weekly News has been assembled by the Tails team, Karsten Loesing, teor, and Harmony.
Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!